Re: Monitoring PIX Firewall

dohogue · ‎08-18-2005

I have been given the task to analyze daily our PIX 515E log for signs of intrusion or "unusual" activity. We currnetly use Security Monitor and I also send the logs directly to by PC using Kiwi Syslog.

I know that each installation is different but I need some general guidelines to use. I am not exactly what to look for that indicates a possible port scan, "unauthorized entry" to network and what to look for in general that may indicate an attack is in progress or has already happened. Any guidence anyone can give in this area would be much appreciated.

sachinraja · ‎08-18-2005

Hello dohougue

For a reasonable amount of intrusion detection, you can use a normal syslog server, but correlating the incidents on the log will be pretty tough.. there will be thousands of messages on the syslog server, which will be very tough to read.

If you want a easy to read front end, you can use tools like "firewall analysers" from EIQ networks.Have a look at this URL:

http://eiqnetworks.com/newsroom/presskit/nsav42_datasheet.pdf

This is a good product which has really good graphical interfaces for the alarms and vulnarabilities...

If you are looking to block these automatically, use a IDS/IPS appliance in front of the PIX to detect these packets. with the help of an IDM or VMS, you can see all the attacks in form of events, which you can block/reset or log...

hope this helps.. rate replies if found useful..

Raj

lubo.nistor · ‎08-22-2005

well if you have lot of $$ you can go for webtrends package,

if not you can stick to opensource and use syslog with some log parsing tool like swatch or similar.

But for that you need to know what you would be looking for anyway as it's not that easy to distinguish between attack going on or just a simple scan. And be prepared for overwhelming ammount of data (counted in Gigs per day)..